- From: Adam Barth <whatwg@adambarth.com>
- Date: Mon, 29 Sep 2008 13:06:09 -0700
The current proposal is to sent the Origin header for non-GET, non-HEAD requests. The main reason not to send the header all the time is that it raises similar privacy concerns as the Referer header, which have caused the Referer header to be suppressed a non-trivial fraction of the time. Sending the Origin header more often is better for security, but it is a gamble. If we decide to send it too often, users/network operators will just suppress the header and we won't have improved the situation. Sending the header for <form> POSTs seems like a clean design point because sites don't POST to untrusted sites nearly as often as they hyperlink to them. Adam On Mon, Sep 29, 2008 at 5:20 AM, Michal Zalewski <lcamtuf at dione.cc> wrote: > On Mon, 29 Sep 2008, Anne van Kesteren wrote: > >> A cross-site XMLHttpRequest request would always include Origin. I haven't >> really seen other specifications start using it yet, but I believe there are >> some experimental implementations for including it in cross-site <form> POST >> requests. > > Yup, I mean the non-XMLHttpRequest "Origin" header as proposed / implemented > by Adam Barth and Collin Jackson for generic POSTs (though I might be not > doing the implementation justice, so it's probably best for them to chime > in). > > /mz >
Received on Monday, 29 September 2008 13:06:09 UTC